Wccp Konfigurasyonu

WCCP (Web Cache Communication Protocol) is a Cisco protocol that lets you redirect web traffic from clients to a proxy server. Using a proxy server has a number of advantages:

• Caching: reduces network bandwidth because web traffic that has been requested before can be retrieved from the proxy cache instead of requesting it again from the Internet.
• Filtering: all web traffic goes through the proxy server first so you can filter certain websites.
• Monitoring: If you want to know what your users are doing you can track this on the proxy server.

WCCP is used between a Cisco router and a proxy server to communicate. The proxy server will tell the router that it is “alive” and ready to serve webpages. It’s also used as a “hello” message so the router knows when the proxy is down. The router is called the WCCP server and the proxy is called the WCCP client.
In this tutorial I will first explain the basics of how WCCP forwards traffic to the proxy and then I will show you the configuration of the Cisco router and the proxy using Squid on Linux.
At the end of this post I also have wireshark captures that show you the exact traffic path from the client to a host on the Internet with the proxy in between. Let’s get started shall we?

WCCP Transparent Proxy Traffic Flows

To demonstrate this I will use the following topology, a small network that has a Cisco router, a host that will browse the Internet and a Squid proxy server:

The router and proxy server are both running WCCP. The squid proxy server will announce itself to the router using UDP port 2048 and the router will respond:

When the host wants to browse the Internet it will create a TCP SYN packet for the destination which will end up at the router:

Without WCCP, the TCP SYN would be forwarded to the Internet because we are running WCCP, something else will happen. The router will forward the TCP SYN from the host to the proxy server:

To make sure that the original packet does not change it will use a GRE tunnel for this. Normally GRE is used when the proxy server is on another subnet, when the proxy server is on the same subnet you can also use layer 2 redirection. The proxy server will check its cache and see if it has served the requested webpage before:

When it doesn’t have anything in its cache, the proxy server will contact the webserver on the Internet and request the webpage that the host was looking for. Once this process is done, it can serve the webpage to the host:

Once the proxy server has the webpage it will send a TCP SYN ACK to the host that is still waiting for the webpage. The important part here is that the source IP address of this packet is the IP address of the host on the Internet, NOT the proxy server! From the host’s perspective, it thinks that it is talking directly to the webserver and it has no idea that there is a proxy server in the network. This is what we call a transparent proxy.
You now have an idea how WCCP and proxying works, let’s look at the configuration of the proxy server and the Cisco router. I will use the topology that I just showed you for this demonstration.

WCCP(config)#ip wccp version 2

WCCP(config)#ip access-list standard SQUID_SERVER 
WCCP(config-std-nacl)#permit 192.168.1.253

WCCP(config)#ip access-list extended PROXY_USERS
WCCP(config-ext-nacl)#deny tcp host 192.168.1.253 any
WCCP(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 80
WCCP(config-ext-nacl)#deny ip any any

WCCP(config)#ip wccp web-cache redirect-list PROXY_USERS group-list SQUID_SERVER

WCCP(config)#interface FastEthernet 0/0
WCCP(config-if)#ip wccp web-cache redirect in 

WCCP#show ip wccp

WCCP#debug ip wccp packets

WCCP#debug ip wccp events 

To make sure that the original packet does not change it will use a GRE tunnel for this. Normally GRE is used when the proxy server is on another subnet, when the proxy server is on the same subnet you can also use layer 2 redirection. The proxy server will check its cache and see if it has served the requested webpage before:


Mevcutta bir adet proxy serverız varsa ve clientların bu proxy üzerinden internete cıkması bekleniyorsa , proxy server redirect yazılı olan interface altın tum rule ları ezerek asıc ten paketi okur ve isterse üzerine alır. Best practise olarak ilk redirect-list oluşturularak hangi cihazların tanımlanacagı belirtilir optional olarakta group-list ile hangi proxy ipsine izin verileceği belirlenebilir ayrıca bir password de girilebilir.

wccp version 2

ip wccp 51 redirect-list 110 group-list 11

access-list 110 permit ip 10.55.0.0 0.0.255.255 any
access-list 11 permit 10.251.0.240

interface Vlan303
 ip address 1.1.1.1 255.255.255.0
 ip wccp 51 redirect in (client)


or

access-list 101 permit tcp any 10.2.0.0 0.0.255.255

access-list 101 permit tcp 10.2.0.0 0.0.255.255 any

ip wccp 61 redirect-list 101

interface fastEthernet 0/0

ip wccp 61 redirect in

end

interface serial0

ip wccp 61 redirect in

end

write memory

Here what you need to configure:
1- Enable WCCP globally by configuring ( ip wccp web-cache ) , the default version is 2

2- Redirect Vlan 10 List HTTP request globally with ( ip wccp web-cache redirect-list 100 )
    access-list 100 permit tcp x.x.x.x y.y.y.y any eq www
3- Apply the redirection on the Vlan interface:
    interface vlan10
    ip wccp web-cache redirect in

GRE

	IP	Port
Source	1.1.1.1	5432		Payload
Destination	5.5.5.5	80
	Original Packet sent from IP 1.1.1.1 to IP 5.5.5.5 Tunnel kurar wccp server ile.
	IP	IP	Port

Source	2.2.2.2	1.1.1.1	5432	Payload
Destination	3.3.3.3	5.5.5.5	80
	GRE Encapsulated Packet redirected from router at IP 2.2.2.2 to WAAS device at 3.3.3.3.  Original packet persevered.

Layer 2

	MAC	IP	Port
Source	01.01.01.01.01.01	1.1.1.1	5432	Payload
Destination	05.05.05.05.05.05	5.5.5.5	80

Original Packet sent from IP 1.1.1.1 to IP 5.5.5.5
MAC	IP	Port
02.02.02.02.02.02	1.1.1.1	5432	Payload
03.03.03.03.03.03	5.5.5.5	80
L2 Rewrite redirects packet from router at MAC 02.02.02.02.02.02  to WAAS device at MAC 03.03.03.03.03.03.  Original packet persevered.